LinkedIn suffers password hack of 6.5 million accounts

Social networking site LinkedIn has warned millions of users to reset their passwords after security information was stolen.

LinkedIn, which is aimed at professionals and has in excess of 161 million members in more than 200 countries, was compromised and members' details were posted online.

"We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts," LinkedIn director Vicente Silveira said in a statement.

He said the company was investigating the security breach and added that those who were affected will notice their LinkedIn passwords will no longer be valid.

It is thought the passwords of more than 6.5 million people were stolen.

"Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid," Silveira said.

"These members will also receive an email from LinkedIn with instructions on how to reset their passwords."

Users were told they should never change their passwords by following an link sent on an email.

"These affected members will receive a second email from our customer support team providing a bit more context on this situation and why they are being asked to change their passwords," Silveira added.

Marcus Carey, security researcher at Boston-based Rapid7, said he believed the attackers had been inside LinkedIn's network for at least several days, based on an analysis of the type of information stolen and quantity of data posted on forums.

"While LinkedIn is investigating the breach, the attackers may still have access to the system," Carey warned.

"If the attackers are still entrenched in the network, then users who have already changed their passwords may have to do so a second time."

Officials with LinkedIn declined to comment on whether an attack might still be in progress.

The breach is the latest in a string of high-profile hacks affecting companies and governments around the world, which have put the personal information of millions at risk.

News of the breach surfaced earlier this week when computer security experts said they discovered files with some 6.5 million encrypted passwords on underground websites where criminal hackers frequently exchange stolen information.

Graham Cluley, a senior technology consultant with IT security and data protection firm Sophos said that it is not yet clear if all of those passwords belong to LinkedIn members.

The files included only passwords and not corresponding email addresses, which means that people who download the files and decrypt, or unscramble, the passwords will not easily be able to access any accounts with compromised passwords.

Yet analysts said it is likely that the hackers who stole the passwords also have the corresponding email addresses and would be able to access the accounts.

Sophos warned that hackers will be working to crack the "unsalted" password hashes and "it is reasonable to assume that such information may be in the hands of the criminals".

At least two security experts who examined the files containing the LinkedIn passwords said the company had failed to use best practices for protecting the data.

The experts said that LinkedIn used a vanilla or basic technique for encrypting, or scrambling, the passwords which allowed hackers to quickly unscramble all passwords after they figured out the formula by which any single password had been encrypted.

The social network could have made it extremely tedious for the passwords to be unscrambled by using a technique known as "salting", which means adding a secret code to each password before it is encrypted.

"What they did is considered to be poor practice," said Mary Landesman, security researcher with Cloudmark, a company that helps secure messaging systems.

LinkedIn officials declined to comment on the criticism, saying it was discussing the breach only on its official blog.

Silveira said in the blog that the company just recently put in place new security measures to protect customer passwords, including the use of salting techniques.

Last year, a security researcher warned that LinkedIn had flaws in the way it managed communications with browsers to authorize logins, making accounts more vulnerable to attack. The company responded by tightening its procedures for logins.

LinkedIn was co-founded by former PayPal executive Reid Hoffman in 2002 and makes money selling marketing services and subscriptions to companies and job seekers.

Online dating service eHarmony said last night that a "small fraction" of its users had also been leaked on to the web.

The site, which says it has more than 20 million registered online users, did not say how many had been affected.

But tech news site Ars Technica said it found about 1.5 million passwords leaked online that appeared to be from eHarmony users.